[proposal] Remove Spring Social Integration

[ruddell]

Overview of the issue

I'm proposing to remove our custom Social Login option.

Few reasons for this:

• The code currently works for Google, but fails for Twitter/Facebook when the email returned from the social site is null (we cache users on both username and email).
• Users who sign up with Social Login can't change their password because they don't set it in registration.
• In my experience, most people just want the Login aspect and we don't provide code that actually uses the feature set of Spring Social. This ties in with my next point.
• Keycloak/Okta offer mostly the same Social Login options, but with improvements
  • Example: Keycloak prompts the user for an email if it doesn't exist in the social info
  • Keycloak supports GitHub, Twitter, Facebook, Openshift, Google, Gitlab, LinkedIn, Microsoft, BitBucket, StackOverflow, and Custom SAML
  • Okta supports Facebook, Microsoft, Google, LinkedIn, and Custom SAML
• v5 would be a good time to do a breaking change like this, no React frontend yet

Related issues

Social login is acting anti-social and email isNull problem #7032
Remove Spring Social Facebook #7201 (I had not seen Keycloak/Okta social login at this time)

Any thoughts or reasons not to remove it? Personally, I don't have the free time to rewrite the social login flow to account for empty social profile fields (and not sure how to do it), and we already have a working replacement.

• Checking this box is mandatory (this is just to show you read everything)

[jdubois]

Oh we kept the social login for you, so if you want to remove it, let's do it! Indeed we have better options with Keycloak and Okta.

[BhawaniSingh]

I'm planning to integrate the social connectors into jhipster-uaa, I'm planning to write down a complete lib for it and integrate it in UAA.
let me know if that's a good idea or not.

[ruddell]

I can do the PR later today.

@BhawaniSingh The main challenge is that Twitter/Facebook don't always return an email, so you need to set up a post-login flow to collect the missing information before they can be registered.

[BhawaniSingh]

Yeah I know that, I’m working on it for the client, if it goes well I’ll raise the ticket

…

On Sat, 17 Mar 2018 at 8:06 PM, Jon Ruddell ***@***.***> wrote: I can do the PR later today. @BhawaniSingh <https://github.com/bhawanisingh> The main challenge is that Twitter/Facebook don't always return an email, so you need to set up a post-login flow to collect the missing information before they can be registered. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#7308 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACk9e-Tbv2HFYOE6xM0NdMx2Z01hns50ks5tfR9fgaJpZM4Suhpr> .

[deepu105]

@BhawaniSingh I wouldn't be in favor of adding this for the UAA option as the UAA is pretty similar to the OIDC option so people who want social login should rather use Keycloak than UAA, this way we wouldn't have to reimplement and maintain what is already supported by Keykloak

[dearnani]

Appreciate your efforts @ruddell. Looking forward to use this feature with keykloak... May be better replacement of tableau for new product's social login feature.

[ruddell]

@dearnani Thanks! 😄 Social Login is already available if you use OAuth2 auth type with Keycloak or Okta, you just have to add an identity provider in the management pages.

[sdoxsee]

@ruddell makes sense to me. Simplification. I wouldn't add it to UAA either as OIDC (oauth2) is a superior solution (IMO) for federated identity for the reasons you gave.

[ruddell]

Commenting this here so I have somewhere to point when someone asks why social login was removed, which happens every so often. Issues include:

• Twitter never gives you the user email
• Facebook sometimes gives the user email
• Usernames can conflict if two people sign up with the same name
• Social users emails may be unverified (resulting in linking to wrong accounts)
• Social users can't use the Settings or Change Password pages
• Issues linking existing users with their social accounts
• Redirect page on login is hardcoded
• Release library doesnt work, have to use snapshots (may be working now)